[refpolicy] [PATCH v2 5/6] Prepare udev interfaces for /run usage

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2 5/6] Prepare udev interfaces for /run usage
Date: Thu, 28 Jun 2012 21:17:25 +0200	[thread overview]
Message-ID: <1340911046-30441-6-git-send-email-sven.vermeulen@siphos.be> (raw)
In-Reply-To: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be>

Recent udev implementations now use /run (actually, /run/udev) for storing
database files, rules and more. Hence, we need to extend existing interfaces to
support searching through the udev_var_run_t location (as most of that was
previously only in device_t and/or etc_t or udev_etc_t)

Next to enhancing the interfaces, we provide additional ones that will be used
by the init script (for udev) which needs to create and support the new
/run/udev locations.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/udev.if |   74 ++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 73 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..f1d1ce0 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -146,6 +146,10 @@ interface(`udev_manage_rules_files',`
 	')
 
 	manage_files_pattern($1, udev_rules_t, udev_rules_t)
+	
+	files_search_etc($1)
+
+	udev_search_pids($1)
 ')
 
 ########################################
@@ -187,10 +191,16 @@ interface(`udev_read_db',`
 		type udev_tbl_t;
 	')
 
-	dev_list_all_dev_nodes($1)
 	allow $1 udev_tbl_t:dir list_dir_perms;
+	
 	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+
+	dev_list_all_dev_nodes($1)
+	
+	files_search_etc($1)
+
+	udev_search_pids($1)
 ')
 
 ########################################
@@ -214,6 +224,68 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Search through udev pid content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_search_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	search_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
+##	Create directories in the run location with udev_var_run_t type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+## 	<summary>
+##	Name of the directory that is created
+##	</summary>
+## </param>
+#
+interface(`udev_pid_filetrans_run_dirs',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_pid_filetrans($1, udev_var_run_t, dir, $2)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	udev pid directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_pid_dirs',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid files.
 ## </summary>
-- 
1.7.3.4
